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CLAIMS 

What is claimed is: 

1. A method for controlling access rights of a 
5 requesting principal to a protected resource in a 

computer system, wherein a principal is associated with 
at least one role, the method comprising: 

associating a role filter with a role; 
associating a set of one or more capabilities with 
10 the role; 

associating a capability filter with a capability in 
% the set of one or more capabilities; and 
00 authorizing access for the requesting principal to 

jg the protected resource based on an association between 

the requesting principal and the role and based on an 
=lj association between the protected resource and a 
^ capability of the role. 

fU 

jg 2. The method of claim 1 further comprising: 

~==. 

s M20 evaluating the role filter to determine a set of one 

or more principals to be associated with the role; and 

evaluating the capability filter to determine a set 
of one or more resources to be associated with the 
capability . 

25 

3. The method of claim 1 further comprising: 

associating a resource type with each capability in 
the set of one or more capabilities, wherein each 
capability defines access to at least one resource of the 
30 resource type. 
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4. The method of claim 1 further comprising: 
associating a set of one or more access conditions 

with each capability in the set of one or more 
capabilities, wherein each access condition defines an 
5 access constraint against authorizing access for the 
requesting principal to the protected resource. 

5. The method of claim 4 further comprising: 
associating a set of one or more rights with each 

10 access condition in the set of one or more access 

conditions, wherein each right defines an access type for 
Q authorized access for the requesting principal to the 
^ protected resource. 

lit 5 6. The method of claim 1 further comprising: 

associating a filterRoles list with the requesting 
s principal, wherein the filterRoles list is a multivalued 

?5 attribute containing a set of one or more roles; 

W associating a f ilterMembers list with the role, 

q20 wherein the f ilterMembers list is a multivalued attribute 
^ containing a set of one or more principals; 

adding the role to the filterRoles list associated 
with the requesting principal if the requesting principal 
is added to the f ilterMembers list associated with the 
25 role ; and 

adding the requesting principal to the f ilterMembers 
list associated with the role if the role is added to the 
filterRole list associated with the requesting principal. 
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7. The method of claim 1 further comprising: 

associating a f ilterCapabilities list with a 
resource, wherein the f ilterCapabilities list is a 
multivalued attribute containing a set of one or more 
5 capabilities; 

associating a f ilterTargets list with a capability, 
wherein the f ilterTargets list is a multivalued attribute 
containing a set of one or more resources; 

adding the capability to the f ilterCapabilities list 
10 associated with the resource if the resource is added to 
the f ilterTargets list associated with the capability; 
Q and 

2 adding the resource to the f ilterTargets list 

0] associated with the capability if the capability is added 

LJL5 to the f ilterCapabilities list associated with the 

S 5 ! resource. 

n§- 

JT; 8. The method of claim 1 further comprising: 

W receiving notification of an update to an instance, 

ff$0 wherein the instance has a type selecting from the group 
^ of "principal", "resource", "capability", or "role"; 

determining the type of the instance; 

searching for capabilities with a resource type that 
matches the type of the instance; and 
25 running capability filters of matched capabilities 

against the instance. 

9. The method of claim 8 further comprising: 

in response to a determination that the type of the 
30 instance is "principal", running all role filters against 
the instance. 



/ 
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10. The method of claim 9 further comprising: 

in response to a determination that the type of the 
instance is "role" or "capability", determining whether a 
filter of the instance has been updated; and 

in response to a determination that the filter of 
the instance has been updated, running the filter of the 
instance in accordance with the type of the instance. 
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11. An apparatus for controlling access rights of a 
requesting principal to a protected resource in a 
computer system, wherein a principal is associated with 
at least one role, the apparatus comprising: 

means for associating a role filter with a role; 

means for associating a set of one or more 
capabilities with the role; 

means for associating a capability filter with a 
capability in the set of one or more capabilities; and 

means for authorizing access for the requesting 
principal to the protected resource based on an 
association between the requesting principal and the role 
and based on an association between the protected 
resource and a capability of the role. 

12. The apparatus of claim 11 further comprising: 
means for evaluating the role filter to determine a 

set of one or more principals to be associated with the 
role; and 

means for evaluating the capability filter to 
determine a set of one or more resources to be associated 
with the capability. 

13. The apparatus of claim 11 further comprising: 
means for associating a resource type with each 

capability in the set of one or more capabilities, 
wherein each capability defines access to at least one 
resource of the resource type. 
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14. The apparatus of claim 11 further comprising: 
means for associating a set of one or more access 

conditions with each capability in the set of one or more 
capabilities, wherein each access condition defines an 
access constraint against authorizing access for the 
requesting principal to the protected resource. 

15. The apparatus of claim 14 further comprising: 
means for associating a set of one or more rights 

with each access condition in the set of one or more 
access conditions, wherein each right defines an access 
type for authorized access for the requesting principal 
to the protected resource. 

16. The apparatus of claim 11 further comprising: 
means for associating a filterRoles list with the 

requesting principal, wherein the filterRoles list is a 
multivalued attribute containing a set of one or more 
roles; 

means for associating a f ilterMembers list with the 
role, wherein the f ilterMembers list is a multivalued 
attribute containing a set of one or more principals; 

means for adding the role to the filterRoles list 
associated with the requesting principal if the 
requesting principal is added to the f ilterMembers list 
associated with the role; and 

means for adding the requesting principal to the 
f ilterMembers lis-t associated with the role if the role 
is added to the filterRole list associated with the 
requesting principal. 
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17. The apparatus of claim 11 further comprising: 

means for associating a f ilterCapabilities list with 
a resource, wherein the f ilterCapabilities list is a 
multivalued attribute containing a set of one or more 
5 capabilities; 

means for associating a f ilterTargets list with a 
capability, wherein the f ilterTargets list is a 
multivalued attribute containing a set of one or more 
resources; 

10 means for adding the capability to the 

f ilterCapabilities list associated with the resource if 
j5 the resource is added to the f ilterTargets list 
!f associated with the capability; and 

4= means for adding the resource to the f ilterTargets 

%5 list associated with the capability if the capability is 
TU added to the f ilterCapabilities list associated with the 
O resource . 

=p 18. The apparatus of claim 11 further comprising: 

fJO means for receiving notification of an update to an 

instance, wherein the instance has a type selecting from 
the group of "principal", "resource", "capability", or 
"role" ; 

means for determining the type of the instance; 
25 means for searching for capabilities with a resource 

type that matches the type of the instance; and 

means for running capability filters of matched 
capabilities against the instance. 



AUS92001010 




34 



19. The apparatus of claim 18 further comprising: 
means for running all role filters against the 

instance in response to a determination that the type of 
the instance is "principal" . 

20. The apparatus of claim 19 further comprising: 
means for determining whether a filter of the 

instance has been updated in response to a determination 
that the type of the instance is "role" or "capability"; 
and 

means for running the filter of the instance in 
accordance with the type of the instance in response to a 
determination that the filter of the instance has been 
updated. 
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21. A computer program product in a computer readable 
medium for use in a data processing system for 
controlling access rights of a requesting principal to a 
protected resource, wherein a principal is associated 
with at least one role, the computer program product 
comprising : 

instructions for associating a role filter with a 

role ; 

instructions for associating a set of one or more 
capabilities with the role; 

instructions for associating a capability filter 
with a capability in the set of one or more capabilities; 
and 

instructions for authorizing access for the 
requesting principal to the protected resource based on 
an association between the requesting principal and the 
role and based on an association between the protected 
resource and a capability of the role. 

22. The computer program product of claim 21 further 
comprising : 

instructions for evaluating the role filter to 
determine a set of one or more principals to be 
associated with the role; and 

instructions for evaluating the capability filter to 
determine a set of one or more resources to be associated 
with the capability. 
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23. The computer program product of claim 21 further 
comprising ; 

instructions for associating a resource type with 
each capability in the set of one or more capabilities, 
wherein each capability defines access to at least one 
resource of the resource type. 

24. The computer program product of claim 21 further 
comprising : 

instructions for associating a set of one or more 
access conditions with each capability in the set of one 
or more capabilities, wherein each access condition 
defines an access constraint against authorizing access 
for the requesting principal to the protected resource. 

25. The computer program product of claim 24 further 
comprising : 

instructions for associating a set of one or more 
rights with each access condition in the set of one or 
more access conditions, wherein each right defines an 
access type for authorized access for the requesting 
principal to the protected resource. 

26. The computer program product of claim 21 further 
comprising : 

instructions for associating a filterRoles list with 
the requesting principal, wherein the filterRoles list is 
a multivalued attribute containing a set of one or more 
roles ; 
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instructions for associating a f ilterMembers list 
with the role, wherein the f ilterMembers list is a 
multivalued attribute containing a set of one or more 
principals ; 

5 instructions for adding the role to the filterRoles 

list associated with the requesting principal if the 
requesting principal is added to the f ilterMembers list 
associated with the role; and 

instructions for adding the requesting principal to 
10 the f ilterMembers list associated with the role if the 

role is added to the filterRole list associated with the 
g requesting principal . 

01 27. The computer program product of claim 21 further 
ui5 comprising: 

^ instructions for associating a f ilterCapabilities 

s list with a resource, wherein the f ilterCapabilities list 

jri is a multivalued attribute containing a set of one or 

FU more capabilities; 

q20 instructions for associating a f ilterTargets list 

^ with a capability, wherein the f ilterTargets list is a 

multivalued attribute containing a set of one or more 

resources ; 

instructions for adding the capability to the 
25 f ilterCapabilities list associated with the resource if 
the resource is added to the f ilterTargets list 
associated with the capability; and 

instructions for adding the resource to the 
f ilterTargets list associated with the capability if the 
30 capability is added to the f ilterCapabilities list 
associated with the resource. 
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28. The computer program product of claim 21 further 
comprising : 

instructions for receiving notification of an update 
5 to an instance, wherein the instance has a type selecting 
from the group of "principal", "resource", "capability", 
or "role" ; 

instructions for determining the type of the 
instance ; 

10 instructions for searching for capabilities with a 

resource type that matches the type of the instance; and 
□ instructions for running capability filters of 

matched capabilities against the instance. 

m 

(J.5 29. The computer program product of claim 28 further 
j! comprising: 

2 instructions for running all role filters against 

si* the instance in response to a determination that the type 

K of the instance is "principal" . 

g20 

^ 30. The computer program product of claim 29 further 

comprising : 

instructions for determining whether a filter of the 
instance has been updated in response to a determination 
25 that the type of the instance is "role" or "capability"; 

instructions for running the filter of the instance 
in accordance with the type of the instance in response 
to a determination that the filter of the instance has 
been updated. 
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